Error after installing certificate, SSL_ERROR_BAD_CERT_DOMAIN

My domain is: https://www.denhelderactueel.nl

I ran this command:
through Plesk the module LetsEnrypt is installed, I tried to automatically have installed a ssl-certificate.

It produced this output:
Failed to resolve the challenge for www.denhelderactueel.nl.
Details
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/oQUWmi5pvRzw-zK3m6bQ0kHxbKNDg5vKmHKzAfJvbk8.
Details:
Type: urn:acme:error:connection
Status: 400
Detail: DNS problem: SERVFAIL looking up CAA for www.denhelderactueel.nl

My web server is (include version): not sure, a server from strato

The operating system my web server runs on is (include version):
CentOS Linux 7.4.1708 (Core)

My hosting provider, if applicable, is: strato

I can login to a root shell on my machine (yes or no, or I don’t know): i don’t know, i use plesk

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Onyx v17.0.17_build1700161028.14 os_CentOS 7

So Plesk said the LetsEnrypt certificate is isntalled, but with 2 warning. The one I posted here and a some one for webmail.

It appears to be some kind of DNSSEC misconfiguration.

Whereas the root domain works OK: https://unboundtest.com/m/CAA/denhelderactueel.nl/QPXQMQ2F,
the www. variant does not validate: https://unboundtest.com/m/CAA/www.denhelderactueel.nl/CHDYDF7A

The error code meaning is as follows, but I am unsure on the exact implications. Perhaps somebody else can help here:

BOGUS means that the object (RRset or message) failed to validate (according to local policy), but should have validated.

I found a similar thread here: CAA SERVFAIL on subdomain but it did not have a positive resolution.

1 Like

What exactly did Plesk say?

It looks like 5 certificates have recently been issued for denhelderactueel.nl, but none for www.denhelderactueel.nl.

https://denhelderactueel.nl/ is using one of those certificates right now, but it redirects to https://www.denhelderactueel.nl/, which isn’t using an appropriate certificate.

That DNS error is fatal. It won’t be possible to get a certificate for www.denhelderactueel.nl until it is fixed.

https://letsencrypt.org/docs/caa/

Since the domain appears to be using PowerDNS, my perennial guess for NSEC errors I don’t understand is that the DNS admin should try running “pdnsutil rectify-zone denhelderactueel.nl” and see if it helps.

(And also make sure PowerDNS is a new enough version, but I don’t think that’s the issue.)

If your DNS admins won’t fix problems, replacing www's A record with a CNAME might help work around it. Or not, I’m not sure.

Disabling DNSSEC would also work around it. :slightly_frowning_face:

Edit: See? I always say that. @_az linked to me saying it a month ago!

1 Like

I've asked my domainhoster for help concering the dns-settings. I don't see anything weird with them, but hopefully they will. Is it an option to move the domeinregistration to strato as well, so domeinname and server are wboth ith strato?

Looks like your CAA error is gone now: https://unboundtest.com/m/CAA/www.denhelderactueel.nl/5HUS3EW5

You should try again issuing the certificate.

2 Likes

Looks like they yanked the DS record. The NSEC issue isn’t fixed, it’s just irrelevant because the zone is no longer secure.

At least it works, though.

(Edit: And people who hate DNSSEC will be happy. :stuck_out_tongue_winking_eye:)

1 Like

I guess it’s better to start over (or not) than to let an error exist :slight_smile:

what do you mean by start over?

Refering to your host removing the complete DS record, so the CAA error won’t persist. It’s not really fixing the CAA error itself, but removing the whole feature in total.

I renewed the certificate and added the www. to it. The only error returned this time had to do with webmail. So both . and www. domain must be ok now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.